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I. Organization Information, Concerned Parties 

MidasCoin St MidasPool 
http://MidasCoin.io / http://MidasPool.io 

About BITCOMSEC 

BITCOMSEC, or Bitcoin Community Security Project is a security research organization 
comprised of web vulnerability researchers and web service developers. 
We provide public internet communities with wide ranging security consultation and 
notification free of charge, for the betterment of the community, and for the deeper 
understanding of security issues that affect all users. Our members are individuals who have 
been notified of vulnerabilities by us, and who in turn volunteer their time to further the 
project's purpose. 

Our goal is to positively influence the perception of bitcoin and the internet by providing these 
services on a donation and volunteer basis, allowing us to assist communities which other 
organizations cannot or will not help. We rely heavily upon donations via Bitcoin to continue 
our practice, BTC @ 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9. 



Our Successes and Donors Include: 



Bitcoin.de 


CloudFlare.com 


OpenLibrary.org 


Archive.org 


CoinSetter.com 


BitcoinFoundation.org 


MTGox.com 


Circle.com 


deals.EBay.com 


CoinJar.com 


Unisend.com 


BTCInstant.com 


Ecash.io 


PrimeCoinVPS.com 


Bitcoin-Cigarettes.com 


BahtCoin.com 


BTCVacations.com 


ECurrencyZone.com 


BitcoinsinBerlin.com 


BitcoinMalaysia.com 


BTCx.se 


EBay.cn 


Central.com 


Coinmkt.com 


labs.EBay.com 


Microsoft.fr 


blog. Microsoft.com. tk 


merchant.Paypal.com 



and many, many more... 
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II. Research and Findings 

Initial Investigation 

We were contacted by an administrator of the MidasCoin/MidasPool projects to assist in 
assessing a potential compromise of their infrastructure by unknown attacker(s). He provided 
us with partial command history showing the execution of a curl command, exfiltrating data 
from one server to an unauthorized external site. 

Upon further inspection we discovered that the attacker had used the aforementioned site for 
offloading content, user credentials and database information from multiple sources - 
specifically MidasPool.io. We were able to thoroughly research the arbitrary site and discover 
it to be completely open - allowing us to ascertain exactly what data was exfiltrated, when and 
how the attacker was using the information. 



What we found 

We found that the attacker was able to maintain a current log of user credentials on the 
MidasPool.io MPOS frontend. A small backdoor was carefully placed in the MOTD section of 
the site which included an appended jQuery form stealer forwarding all login information to 
http://[victim]/wall/log.php. The script itself would then parse the incoming serialized data 
seperating username and password fields for inclusion into a rogue database server 
("85.25.152.63"). 

After said discovery the MidascCoin/MidasPool administrators were able to locate the 
backdoor and close it. A major consequence of this backdoor being placed is compromised 
user security and potential unrestricted access to all user accounts on the system. 

We continued our research to ensure that the infrastructure of MidasCoin/MidasPool is safe of 
ongoing intrusion and hopefully eliminate this persistent threat. 

Conclusions 

The MidasPool project and its servers were compromised most likely through universal 
password leakage via communication interception. The attacker first logged into some of the 
servers around September 8th 2014, with his access ending the moment the administration 
team updated passwords and enabled a restrictive firewall. His last attempts in logging into 
any of the servers are around September 23rd/24th but by then he had lost his access. The 
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UFW Firewall Logs indicate he's tried multiple times to access multiple servers and these can 
be viewed at the Appendix at the end of this report. 

He not only compromised the project by scouring the servers for information, but he also 
compromised users of the MidasPool project by accessing the database. By backdooring the 
MPOS pooling software he also compromised potential universal passwords used by users of 
the project. It is also likely he began infiltrating their personal lives with access to their 
passwords. 

Fortunately for the project the attacker in this case was not a seasoned hacker, in all reality he 
probably is a web-developer with some form of Unix experience, MPOS and Crypto Currency 
knowledge. His cleaning of some logs were an indicating that he knew what he was doing 
was wrong - but his inexperience left behind a treasure trove of information that allowed us to 
correctly assess the damage. 

And finally to conclude, although it's not entirely necessary to reinstall all of the servers due to 
the compromise (as we have no proof he modified service daemons, system configurations or 
implemented kernel rootkits or userland backdoors) - these servers should be scrutinized and 
every single password across every server from user accounts, to mysql logins and stratum 
logins need to be changed and/or updated. Otherwise he will find a way back in and use 
these unchanged credentials to access the data all over again. 

If MidasCoin/MidasPool projects require the assistance of BITCOMSEC to handle any of 
these recommendations, or assist in securing the servers in the future we are open to helping. 

Thank you. 
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Live Forensic Audit 

In order to keep the MidasCoin project going without affecting its uptime or functionality we 
had to delicately scour the filesystem for file changes within a period of time looking for signs 
of ongoing access by the intruder, be it via backdoor or administrative login. Below you will a 
list of servers audited and what was done in the process. 

NOTE: Servers that are not listed on this list were audited as well, but those with no findings 
to report have been omitted. 

nodel .midaspool.io: 

In a Live Forensic Audit we try our best not to taint the environment so we keep a strong focus 
on least modification to the filesystem as possible, in case there is a need to do an actual 
off-site forensic audit in near future. Our footprints on the server were minimal and made no 
changes or modifications to the systems we research. 

We searched through user history files looking for commands that are seemingly arbitrary and 
outside the scope of the usual administration teams' command usage. In the case of nodel , 
and its partner node servers we found no obvious signs of arbitrary commands stored in the 
history files. 

We did however discover evidence that the attacker attempted and eventually successfully 
logged into the server via SSH between September 19th through the 23rd of 2014. 

last -i output: 

ubuntu pts/0 66.172.33.140 Fri Sep 19 22:33 - 22:34 (00:00) 
(see Appendix, Diagram A) 
Authentication Logs 

In the following logs you will see that the attacker used his chunkhost server to make attempts 
at logging into nodel . He clearly had the password to the server, but did not know which user 
to log into. He tried to log in as 'node', 'nodel', 'stratuml', 'root' and eventually 'ubuntu'. 

(see Appendix, Diagram B) 
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MidasCoin Logs: 

During our initial investigation into the compromising of the projects, and intrusion we 
identified the attackers range of IP addresses all originating from ISPs in the Phillippines. With 
this knowledge we also scoured logs on the server for connections from his IPs, as well as his 
IP range and came up to the conclusion that he was also running a MidasCoin wallet from his 
home computer(s): 

(see Appendix. Diagram C) 



MerchatApiDashboard / 1 46. 1 85. 1 9 1 . 1 80 

As with the nodel server the attacker was readily accessing the MerchantAPI Dashboard 
server between September 8th through 20th 2014: 

root pts/2 66.172.33.140 Sat Sep 20 02:35 - 02:35 (00:00) 
root pts/3 66.172.33.140 Fri Sep 19 00:51 - 03:07 (02:16) 
root pts/3 66.172.33.140 Thu Sep 18 00:22 - 00:23 (00:00) 
root pts/3 66.172.33.140 Thu Sep 11 03:30 - 04:26 (00:55) 
root pts/3 66.172.33.140 Tue Sep 9 05:19 - 06:32 (01:12) 
root pts/7 66.172.33.140 Mon Sep 8 15:12 - 15:12 (00:00) 
root pts/6 66.172.33.140 Mon Sep 8 14:10 - 23:14 (09:03) 

Authentication Logs 

(see Appendix, Diagram D) 

NOTE: Attacker logs into server as user 'root' from his home IP: 

auth.log.2:Sep 8 13:18:35 MerchatApiDashboard sshd[30668]: Accepted password for root 
from 121.54.58.245 port 53369 ssh2 

stratumlow. stratumbig and stratumnice.midaspool.com 

We discovered that the attacker also logged into these stratum servers between September 
19th-20th 2014. The activity on all three servers are literally the same. On all three servers he 
created a backdoor account named 'uroot': 
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uroot:x:1 001:1 001 :,,,:/home/ubuntu:/bin/bash 

uroot:$6$mMxoROhR$d6vw84iwZxs6mb8WSjMaspuF6MS4/xVa7DXnrflumwzGwuQ85doDC 
dnCbWNdTQpK1XibZTzh3uWqC1abHj9Kn.:16333:0:99999:7::: 

He did not leave behind any command history as he has had a tendency to clean up his 
command history in prior intrusions into these servers. Probably through 'history -c' or 
manually editing his commands out of the log files. 

Analyzing the UFW Firewall Logs we discover that the attacker has tried to connect to the 
servers as recent as September 23rd 2014 days after the firewall was put into place and he 
lost his access. 

More evidence in logs, of his intrusion can be found in the following Appendix. 
(see Appendix, Diagram E) 
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III. Request for Donations 

BITCOMSEC is an entirely volunteer run organization. All BITCOMSEC backed security 
research is performed upon organization controlled machines, to help ensure the security of 
the internet communities we work with. If we have helped you, please consider making a 
BTC donation to our operational fund. We pledge to use these funds to further the 
BITCOMSEC organization's goals and to help increase security among the entire bitcoin and 
internet ecosystem, to pay out bounties, and to acquire research hardware. 

Donate BTC to us @ 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9 

Thank you for your generosity. 
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IV. Recommendations and Ramifications 

Please contact BITCOMSEC with any questions you may have. We help organizations like 
yours with vulnerability mitigation, configuration best-practices, software development, and 
other requests for assistance. Contact our technical team directly at 
research@bitcomsec.org . 

We will be happy to assist with any technology and security related issues. 

MidasCoin/MidasPool projects, sites, servers and users were compromised in an attack. 
BITCOMSEC has reviewed the requested servers. Currently as it stands the intrusion has 
been halted, however there are some recommendations we would make to assist with 
recovery and future prevention. BITCOMSEC extends an offer of service to assis you with 
future vulnerability prevention and mitigation, to ensure that these kind of intrusions are 
prevented and minimized in the future. 

Centralized log server 

During our research we found that MidasCoin/MidasPool project had many servers stretched 
throughout its organization. Many of these machines contained log files that were not 
analyzed pre or post intrusion and should be focused on from here on. 

By implementing a server dedicated to centralized logging your administrative team will have 
a better chance of catching these types of intrusions early on before any critical infrastructure 
is compromised. 

ref: http://jasonwilder.com/blog/2013/07/16/centralized-logging-architecture/ 
ref: Splunk.com (not free) but there are alternatives 

Nagios 

Nagios is a tool designed to monitor and alert you of downtime of any of your servers and 
services. It is (nearly) real-time (based on configuration of services) and can alert you as soon 
as a service on a server goes down. This will help you determine if attackers have been 
meddling with daemons at any point. Overall it is a great tool to have at your disposal. 
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Authentication 

A primary requirement of security is that the administration team use authentication keys 
(Public Keys) to log into the network via SSH. Each admin generates a pubkey, uploads the 
public key to /home/ubuntu/.ssh/authorized_keys or /root/ubuntu/.ssh/authorized_keys and all 
future logins will be handled not by an authentication daemon, but the public key system 
within OpenSSH. This will prevent a potentially very large vector from ever becoming a 
threat. 

HIDS / Host Intrusion Detection System 

HIDS software are very specific in what they do. They scour your entire filesystem creating 
cryptographic hashes for each file and saves these hashes to a cryptographically signed 
database that is seemingly alter-proof. 

When the HIDS software runs again, either manually or daily by crontab it will alert you to 
changes in the filesystem and give you information on what was changed using a diff-style 
schema. 

Utilizing a tool like Samhain, which goes hand in hand with your centralized log server, will 
help you catch these type of intrusions and provide you actual evidence that one has taken 
place. 

ref: http://www.la-samhna.de , Tripwire is commercial alternative as well as OSSEC. 



Reinstallation 

The servers affected above more than likely need to be reinstalled, or at the very least have 
all passwords changed. It is apparent that the attacker has seen and documented logins for 
proxypool/stratum configuration, MySQL database login information and miscellaneous 
passwords that should not be seen by anyone in the public. 

Although the attacker no longer has access to these systems, it is very possible he may be 
able to elevate privileges in the future, as any other attacker, and if the internal passwords 
remain the same he will be able to infiltrate the network, and exfiltrate data all over again. 

I recommend all passwords be changed, all midascoin daemons and service configurations 
be recompiled, reinstalled and confirmed that nothing was tampered with. Although there isn't 
any sure proof that he has modified configuration files, or any other data besides the MPOS 
backdoor he implemented - it is better to be safe than sorry. 
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Contact BITCOMSEC for deployment specific mitigation techniques. 
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V. Contact Information 

BITCOMSEC Technical and General Inquiry Email Address 

research(5)bitcomsec.orq 

Client Provided Contact Information: 

Administrator 

info@midaspay.io 
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Appendix: 



Diagram A 



UFW Firewall logs: 

./kern. log: Sep 23 08:29:14 Nodel kernel: [560878.252 984] [UFW BLOCK] IN=ethO OUT= 

MAC=00 : 50 : 56 : 03 :cd: 02 : 00 : 14 : fl :a7 : 24 : 00 : 08 : 00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53124 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

./kern. log: Sep 23 08:29:15 Nodel kernel: [56087 9.24 9138] [UFW BLOCK] IN=eth0 OUT= 

MAC=00:50:56:03:cd:02:00:14:fl:a7:24:00:08:00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53125 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

./kern. log: Sep 23 08:29:17 Nodel kernel: [560881.24 9994] [UFW BLOCK] IN=eth0 OUT= 

MAC=00:50:56:03:cd:02:00:14:fl:a7:24:00:08:00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53126 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

./kern. log: Sep 23 08:29:21 Nodel kernel: [560885.24 7 644] [UFW BLOCK] IN=eth0 OUT= 

MAC=00 : 50 : 56 : 03 :cd: 02 : 00 : 14 : fl :a7 : 24 : 00 : 08 : 00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53127 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

./kern. log: Sep 23 08:29:29 Nodel kernel: [5608 93.250827] [UFW BLOCK] IN=eth0 OUT= 

MAC=00 : 50 : 56 : 03 :cd: 02 : 00 : 14 : f 1 :a7 : 24 : 00 : 08 : 00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53128 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

./kern. log: Sep 23 08:29:45 Nodel kernel: [560 90 9.2574 64] [UFW BLOCK] IN=eth0 OUT= 

MAC=00:50:56:03:cd:02:00:14:fl:a7:24:00:08:00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53129 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

./kern. log: Sep 23 08:30:17 Nodel kernel: [560 941.238602] [UFW BLOCK] IN=eth0 OUT= 

MAC=00:50:56:03:cd:02:00:14:fl:a7:24:00:08:00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53130 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

. /ufw. log: Sep 23 08:29:14 Nodel kernel: [560 878.252 984] [UFW BLOCK] IN=eth0 OUT= 

MAC=00 : 50 : 56 : 03 :cd: 02 : 00 : 14 : f 1 :a7 : 24 : 00 : 08 : 00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 
ID=53124 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
./ufw.log:Sep 23 08:29:15 Nodel kernel: [560 87 9.24 9138] [UFW BLOCK] IN=eth0 OUT= 

MAC=00 : 50 : 56 : 03 :cd: 02 : 00 : 14 : f 1 :a7 : 24 : 00 : 08 : 00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 
ID=53125 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
./ufw.log:Sep 23 08:29:17 Nodel kernel: [560 881.24 9 994] [UFW BLOCK] IN=eth0 OUT= 

MAC=00:50:56:03:cd:02:00:14:fl:a7:24:00:08:00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53126 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

. /ufw. log: Sep 23 08:29:21 Nodel kernel: [560 885.24 7 644] [UFW BLOCK] IN=eth0 OUT= 

MAC=00:50:56:03:cd:02:00:14:fl:a7:24:00:08:00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 

ID=53127 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

. /ufw. log: Sep 23 08:29:29 Nodel kernel: [560 8 93.250827] [UFW BLOCK] IN=eth0 OUT= 

MAC=00 : 50 : 56 : 03 :cd: 02 : 00 : 14 : f 1 :a7 : 24 : 00 : 08 : 00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 
ID=53128 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
./ufw.log:Sep 23 08:29:45 Nodel kernel: [560909.257464] [UFW BLOCK] IN=eth0 OUT= 

MAC=00 : 50 : 56 : 03 :cd: 02 : 00 : 14 : fl :a7 : 24 : 00 : 08 : 00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 
ID=53129 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
./ufw.log:Sep 23 08:30:17 Nodel kernel: [560 941.238602] [UFW BLOCK] IN=eth0 OUT= 

MAC=00:50:56:03:cd:02:00:14:fl:a7:24:00:08:00 SRC=66 . 172 . 33 . 140 DST=178 . 32 . 55 . 161 LEN=60 TOS=0x00 PREC=0x00 TTL=57 
ID=53130 DF PROTO=TCP SPT=54406 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
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Diagram B 



. /auth . log . 1 : Sep 19 05:49:02 Nodel sshd[7781]: pam_unix ( sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user=root 

. /auth. log. 1 : Sep 19 05:49:05 Nodel sshd[7781]: Failed password for root from 66.172.33.140 port 52030 ssh2 
. /auth. log. 1 : Sep 19 05:49:09 Nodel sshd[7781]: Connection closed by 66.172.33.140 [preauth] 

. /auth . log . 1 : Sep 19 05:57:44 Nodel sshd[7784]: pam_unix ( sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user=root 

. /auth. log. 1 : Sep 19 05:57:46 Nodel sshd[7784]: Failed password for root from 66.172.33.140 port 52137 ssh2 
. /auth. log. 1 : Sep 19 05:57:55 Nodel sshd[7784]: Failed password for root from 66.172.33.140 port 52137 ssh2 
. /auth. log. 1 : Sep 19 05:58:00 Nodel sshd[7784]: Connection closed by 66.172.33.140 [preauth] 

. /auth . log . 1 : Sep 19 05:58:00 Nodel sshd[7784]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh 
ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user=root 

. /auth . log . 1 : Sep 19 06:00:11 Nodel sshd[7786]: pam_unix ( sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user=root 

. /auth. log. 1 : Sep 19 06:00:13 Nodel sshd[7786]: Failed password for root from 66.172.33.140 port 52138 ssh2 
. /auth. log. 1 : Sep 19 06:00:26 Nodel sshd[7786]: Failed password for root from 66.172.33.140 port 52138 ssh2 
. /auth. log. 1 : Sep 19 06:00:37 Nodel sshd[7786]: Connection closed by 66.172.33.140 [preauth] 

. /auth . log . 1 : Sep 19 06:00:37 Nodel sshd[7786]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh 
ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user=root 

. /auth. log. 1 : Sep 19 06:05:57 Nodel sshd[7788]: Invalid user stratuml from 66.172.33.140 

. /auth . log . 1 : Sep 19 06:06:01 Nodel sshd[7788]: pam_unix { sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com 

. /auth. log. 1 : Sep 19 06:06:03 Nodel sshd[7788]: Failed password for invalid user stratuml from 66.172.33.140 port 
52185 ssh2 

. /auth. log. 1 : Sep 19 06:06:05 Nodel sshd[7788]: Connection closed by 66.172.33.140 [preauth] 

. /auth . log . 1 : Sep 19 08:54:48 Nodel sshd[7971]: pam_unix ( sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user=ubuntu 

. /auth. log. 1 : Sep 19 08:54:50 Nodel sshd[7971]: Failed password for ubuntu from 66.172.33.140 port 52339 ssh2 
. /auth . log . 1 : Sep 19 08:55:22 Nodel sshd[7971] : message repeated 2 times: [ Failed password for ubuntu from 
66.172.33.140 port 52339 ssh2] 

. /auth. log. 1 : Sep 19 08:55:24 Nodel sshd[7971]: Connection closed by 66.172.33.140 [preauth] 

. /auth . log . 1 : Sep 19 08:55:24 Nodel sshd[7971]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh 
ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user-ubuntu 

. /auth. log. 1 : Sep 19 22:33:14 Nodel sshd[8491]: Invalid user node from 66.172.33.140 

. /auth . log . 1 : Sep 19 22:33:15 Nodel sshd[8491]: pam_unix ( sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com 

. /auth. log. 1 : Sep 19 22:33:17 Nodel sshd[8491]: Failed password for invalid user node from 66.172.33.140 port 53091 
ssh2 

. /auth. log. 1 : Sep 19 22:33:24 Nodel sshd[8493]: Invalid user nodel from 66.172.33.140 

. /auth . log . 1 : Sep 19 22:33:25 Nodel sshd[8493]: pam_unix { sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com 

. /auth. log. 1 : Sep 19 22:33:27 Nodel sshd[8493]: Failed password for invalid user nodel from 66.172.33.140 port 53092 
ssh2 

. /auth . log . 1 : Sep 19 22:33:33 Nodel sshd[8495]: pam_unix ( sshd : auth) : authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=ip- 66-172-33-14 0 . chunkhost . com user=root 

. /auth. log. 1 : Sep 19 22:33:34 Nodel sshd[8495]: Failed password for root from 66.172.33.140 port 53093 ssh2 

. /auth. log. 1 : Sep 19 22:33:41 Nodel sshd[8497]: Accepted password for ubuntu from 66.172.33.140 port 53094 ssh2 

. /auth. log. 1 : Sep 19 22:34:23 Nodel sshd[8491]: Connection closed by 66.172.33.140 [preauth] 

. /auth. log. 1 : Sep 19 22:34:23 Nodel sshd[8493]: Connection closed by 66.172.33.140 [preauth] 

. /auth. log. 1 : Sep 19 22:34:23 Nodel sshd[8495]: Connection closed by 66.172.33.140 [preauth] 
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2014-09-20 01:41:25 accepted connection 121.54.58.226:18143 

2014-09-20 01:41:25 send version message: version 70003, blocks=1345, us=178. 32. 55.161:9554, them=121 .54.58.226:18143, peer=121. 54.58.226:18143 
2014-09-20 01:41:25 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=0, us=178.32.55.161 :9554, 
them=[2001:0:5ef5:79fb:242f:5f91:86c9:c51d]:9554, peer=121. 54.58.226:18143 
2014-09-20 01:42:25 disconnecting node 121.54.58.226:18143 
2014-09-20 05:50:23 accepted connection 121.54.58.226:20020 

2014-09-20 05:50:23 send version message: version 70003, blocks=1440, us=178. 32. 55.161:9554, them=121 .54.58.226:20020, peer=121. 54. 58.226:20020 
2014-09-20 05:50:23 Moving 121 .54.58.226:9554 to tried 

2014-09-20 05:50:23 receive version message: /Satoshi:0. 8.7.2/: version 70003, blocks=1385, us=178.32.55.161 :9554, them=121. 54.58.226:9554, 
peer=1 21 .54.58.226:20020 

2014-09-20 06:15:07 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=1447, us=178.32.55.161 :9554, them=121. 54. 58.226:9554, 
peer=222.1 27.56.33:371 72 

2014-09-20 06:41:05 disconnecting node 121.54.58.226:20020 
2014-09-20 06:53:23 accepted connection 121.54.58.226:20036 

2014-09-20 06:53:23 send version message: version 70003, blocks=1456, us=178.32. 55.161:9554, them=121 .54.58.226:20036, peer=121. 54. 58.226:20036 
2014-09-20 06:53:23 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=1456, us=178.32.55.161 :9554, them=120. 28. 254.30:9554, 
peer=1 21 .54.58.226:20036 

2014-09-20 07:17:10 disconnecting node 121.54.58.226:20036 
2014-09-20 15:15:56 accepted connection 121.54.58.244:34897 

2014-09-20 15:15:56 send version message: version 70003, blocks=1649, us=178. 32. 55.161:9554, them=121 .54.58.244:34897, peer=121. 54. 58.244:34897 
2014-09-20 15:15:56 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=1649, us=178.32.55.161 :9554, them=121 .54.58.224:9554, 
peer=121 .54.58.244:34897 

2014-09-20 16:05:08 disconnecting node 121.54.58.244:34897 
2014-09-20 16:15:30 accepted connection 121.54.58.244:34959 

2014-09-20 16:15:30 send version message: version 70003, blocks=1660, us=178. 32. 55.161:9554, them=121 .54.58.244:34959, peer=121. 54. 58.244:34959 
2014-09-20 16:15:30 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=1660, us=178.32.55.161 :9554, them=121 .54.58.224:9554, 
peer=1 21 .54.58.244:34959 

2014-09-20 16:41:31 disconnecting node 121.54.58.244:34959 

2014-09-20 19:14:00 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=1730, us=178.32.55.161 :9554, them=121. 54.58.224:9554, 
peer=120.28.254.30:33312 

2014-09-21 15:44:27 accepted connection 121.54.58.243:54727 

2014-09-21 15:44:27 send version message: version 70003, blocks=2210, us=178. 32. 55.161:9554, them=121 .54.58.243:54727, peer=121. 54. 58.243:54727 
2014-09-21 15:44:27 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=2210, us=178.32.55.161 :9554, them=121 .54.58.224:9554, 
peer=1 21 .54.58.243:54727 

2014-09-21 16:23:02 disconnecting node 121.54.58.243:54727 
2014-09-22 08:24:52 accepted connection 121.54.58.243:58674 

2014-09-22 08:24:52 send version message: version 70003, blocks=2590, us=178. 32. 55.161:9554, them=121 .54.58.243:58674, peer=121. 54. 58.243:58674 
2014-09-22 08:24:52 Added 121 .54.58.243:9554 from 121.54.58.243: 128 tried, 5872 new 
2014-09-22 08:24:52 Moving 121 .54.58.243:9554 to tried 

2014-09-22 08:24:52 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=2590, us=178.32.55.161 :9554, them=121 .54.58.243:9554, 
peer=1 21 .54.58.243:58674 

2014-09-22 08:31:58 AcceptToMemoryPool: 121.54.58.243:58674 /Satoshi:0.8.7.2/ : accepted 
74af1ca69c33e5d6f4b50914fb0e7f6f0b06616590bda98a9d3a9fc149161713 (poolsz 8) 
2014-09-22 09:14:04 disconnecting node 121.54.58.243:58674 

2014-09-22 12:43:46 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=2701, us=178.32.55.161 :9554, them=121. 54. 58.243:9554, 
peer=120.28.240.199:4710 

2014-09-22 15:41:52 accepted connection 121.54.58.243:60744 

2014-09-22 15:41:52 send version message: version 70003, blocks=2761, us=178. 32. 55.161:9554, them=121 .54.58.243:60744, peer=121. 54. 58.243:60744 
2014-09-22 15:41:52 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=2761, us=178.32.55.161 :9554, them=121 .54.58.243:9554, 
peer=1 21 .54.58.243:60744 

2014-09-22 16:09:20 disconnecting node 121.54.58.243:60744 
2014-09-22 16:23:08 accepted connection 121.54.58.243:60763 

2014-09-22 16:23:08 send version message: version 70003, blocks=2770, us=178. 32. 55.161:9554, them=121 .54.58.243:60763, peer=121. 54. 58.243:60763 
2014-09-22 16:23:08 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=2770, us=178.32.55.161 :9554, them=121 .54.58.243:9554, 
peer=1 21 .54.58.243:60763 

2014-09-22 17:51:08 disconnecting node 121.54.58.243:60763 
2014-09-22 18:17:42 accepted connection 121.54.58.247:36130 

2014-09-22 18:17:42 send version message: version 70003, blocks=2817, us=178. 32. 55.161:9554, them=121 .54.58.247:36130, peer=121. 54. 58.247:36130 
2014-09-22 18:17:42 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=2817, us=178.32.55.161 :9554, them=1 21 .54.58.243:9554, 
peer=121 .54.58.247:361 30 

2014-09-22 20:48:58 disconnecting node 121.54.58.247:36130 
2014-09-23 03:11:36 accepted connection 121.54.58.245:15917 
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2014-09-23 03:11:36 send version message: version 70003, blocks=3027, us=178. 32. 55.161:9554, them=121 .54.58.245:15917, peer=121. 54. 58.245:15917 
2014-09-23 03:11:36 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3027, us=178.32.55.161 :9554, them=121 .54.58.243:9554, 
peer=121 .54.58.245:15917 

2014-09-23 04:08:31 disconnecting node 121.54.58.245:15917 
2014-09-23 04:10:34 accepted connection 121.54.58.245:17688 

2014-09-23 04:10:34 send version message: version 70003, blocks=3042, us=178. 32. 55.161:9554, them=121 .54.58.245:17688, peer=121. 54. 58.245:17688 
2014-09-23 04:10:34 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3042, us=178.32.55.161 :9554, them=121 .54.58.243:9554, 
peer=121 .54.58.245:17688 

2014-09-23 04:48:47 accepted connection 121.54.58.243:16330 

2014-09-23 04:48:47 send version message: version 70003, blocks=3054, us=178. 32. 55.161:9554, them=121 .54.58.243:16330, peer=121. 54. 58.243:16330 
2014-09-23 04:48:47 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3054, us=178.32.55.161 :9554, them=121 .54.58.243:9554, 
peer=121. 54.58.243:16330 

2014-09-23 05:03:20 disconnecting node 121.54.58.245:17688 
2014-09-23 06:51 :1 5 accepted connection 121 .54.58.241 :1 1 1 35 

2014-09-23 06:51:15 send version message: version 70003, blocks=3107, us=178. 32. 55.161:9554, them=121 .54.58.241 :1 1 135, peer=121. 54. 58.241:11135 
2014-09-23 06:51:15 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3107, us=178.32.55.161 :9554, them=121 .54.58.243:9554, 
peer=121 .54. 58.241:11135 

2014-09-23 07:04:55 disconnecting node 121.54.58.243:16330 
2014-09-23 08:37:06 disconnecting node 121 .54.58.241 :1 1 135 
2014-09-23 11:12:02 accepted connection 121.54.58.240:38377 

2014-09-23 11:12:02 send version message: version 70003, blocks=3205, us=178. 32. 55.161:9554, them=121 .54.58.240:38377, peer=121. 54. 58.240:38377 
2014-09-23 11:12:02 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3205, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=1 21 .54.58.240:38377 

2014-09-23 13:16:19 accepted connection 121.54.58.240:46870 

2014-09-23 13:16:30 send version message: version 70003, blocks=3254, us=178. 32. 55.161:9554, them=121 .54.58.240:46870, peer=121. 54. 58.240:46870 
2014-09-23 13:16:30 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3254, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=1 21 .54.58.240:46870 

2014-09-23 13:21:49 disconnecting node 121.54.58.240:38377 
2014-09-23 16:10:53 disconnecting node 121.54.58.240:46870 
2014-09-23 16:14:45 accepted connection 121.54.58.240:40339 

2014-09-23 16:14:45 send version message: version 70003, blocks=3315, us=178. 32. 55.161:9554, them=121 .54.58.240:40339, peer=121. 54. 58.240:40339 
2014-09-23 16:14:45 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3312, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=1 21 .54.58.240:40339 

2014-09-23 17:44:27 Added 1 addresses from 121.54.58.240: 169 tried, 5885 new 
2014-09-23 23:48:31 disconnecting node 121.54.58.240:40339 
2014-09-24 00:17:08 accepted connection 121.54.58.246:11827 

2014-09-24 00:17:08 send version message: version 70003, blocks=3511, us=178. 32. 55.161:9554, them=121.54. 58.246:11827, peer=121. 54. 58.246:11827 
2014-09-24 00:17:08 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3511, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=121.54.58.246:11827 

2014-09-24 02: 1 0: 1 9 disconnecting node 121 .54.58.246: 1 1 827 
2014-09-24 13:32:24 accepted connection 121.54.58.246:19719 

2014-09-24 13:32:24 send version message: version 70003, blocks=3731, us=178. 32. 55.161:9554, them=121 .54.58.246:19719, peer=121. 54. 58.246:19719 
2014-09-24 13:32:24 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3731, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=121 .54.58.246:19719 

2014-09-24 14:26:14 disconnecting node 121.54.58.246:19719 
2014-09-24 14:42:17 accepted connection 121.54.58.241:40054 

2014-09-24 14:42:17 send version message: version 70003, blocks=3759, us=178. 32. 55.161:9554, them=121 .54.58.241 :40054, peer=121. 54. 58.241:40054 
2014-09-24 14:42:17 Moving 121 .54.58.241 :9554 to tried 

2014-09-24 14:42:17 receive version message: /Satoshi:0. 8.7.2/: version 70003, blocks=3759, us=178.32.55. 161:9554, them=121. 54.58.241:9554, 
peer=1 21 .54.58.241:40054 

2014-09-24 16:57:56 disconnecting node 121.54.58.241:40054 
2014-09-24 16:58:18 accepted connection 121.54.58.241:40178 

2014-09-24 16:58:18 send version message: version 70003, blocks=3805, us=178. 32. 55.161:9554, them=121 .54.58.241 :40178, peer=121. 54. 58.241:40178 
2014-09-24 16:58:18 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3805, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=1 21 .54.58.241:401 78 

2014-09-24 17:48:32 accepted connection 121.54.58.241:40216 

2014-09-24 17:48:32 send version message: version 70003, blocks=3809, us=178. 32. 55.161:9554, them=121 .54.58.241 :40216, peer=121. 54. 58.241:40216 
2014-09-24 17:48:32 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=3809, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=121. 54.58.241:40216 

2014-09-24 18:03:13 disconnecting node 121.54.58.241:40178 
2014-09-24 18:24:38 disconnecting node 121.54.58.241:40216 
2014-09-25 02:30:27 accepted connection 121.54.58.245:34577 

2014-09-25 02:30:27 send version message: version 70003, blocks=4044, us=178. 32. 55.161:9554, them=121 .54.58.245:34577, peer=121. 54. 58.245:34577 
2014-09-25 02:30:27 receive version message: /Satoshi:0.8.7.2/: version 70003, blocks=4044, us=178.32.55.161 :9554, them=121 .54.58.241:9554, 
peer=1 21 .54.58.245:34577 

2014-09-25 02:54:45 disconnecting node 121.54.58.245:34577 
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Diagram D 

auth.log.1:Sep 18 00:22:31 MerchatApiDashboard sshd[14683]: Accepted password for root from 66.172.33.140 port 42584 ssh2 

auth.log.1:Sep 19 00:51:13 MerchatApiDashboard sshd[19892]: Accepted password for root from 66.172.33.140 port 42588 ssh2 

auth.log.1 :Sep 19 15:32:28 MerchatApiDashboard sshd[19050]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 

rhost=ip-66-172-33-140.chu 

nkhost.com user=root 

auth.log.1 :Sep 19 15:32:30 MerchatApiDashboard sshd[19050]: Failed password for root from 66.172.33.140 port 43262 ssh2 

auth.log.1 :Sep 19 15:32:57 MerchatApiDashboard sshd[19050]: message repeated 3 times: [ Failed password for root from 66.172.33.140 port 43262 ssh2] 
auth.log.1 :Sep 19 15:33:02 MerchatApiDashboard sshd[19050]: Connection closed by 66.172.33.140 [preauth] 

auth.log.1 :Sep 19 15:33:02 MerchatApiDashboard sshd[19050]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=ip-66-1 72-33-1 40. chunkhost.co 
m user=root 

auth.log.1 :Sep 20 02:35:05 MerchatApiDashboard sshd[4973]: Accepted password for root from 66.172.33.140 port 44022 ssh2 
auth.log.2:Sep 8 14:10:36 MerchatApiDashboard sshd[32605]: Accepted password for root from 66.172.33.140 port 35943 ssh2 
auth.log.2:Sep 8 15:12:37 MerchatApiDashboard sshd[1965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=ip-66-1 72-33-1 40. chun 
khost.com user=root 

auth.log.2:Sep 8 15:12:38 MerchatApiDashboard sshd[1965]: Failed password for root from 66.172.33.140 port 36359 ssh2 

auth.log.2:Sep 8 15:12:49 MerchatApiDashboard sshd[1965]: Accepted password for root from 66.172.33.140 port 36359 ssh2 

auth.log.2:Sep 9 05:19:40 MerchatApiDashboard sshd[28386]: Accepted password for root from 66.172.33.140 port 37659 ssh2 

auth.log.2:Sep 11 03:30:11 MerchatApiDashboard sshd[5902]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 

rhost=ip-66-1 72-33-1 40. chun 

khost.com user=root 

auth.log.2:Sep 11 03:30:13 MerchatApiDashboard sshd[5902]: Failed password for root from 66.172.33.140 port 39783 ssh2 

auth.log.2:Sep 11 03:30:27 MerchatApiDashboard sshd[5902]: message repeated 2 times: [ Failed password for root from 66.172.33.140 port 39783 ssh2] 
auth.log.2:Sep 11 03:30:29 MerchatApiDashboard sshd[5902]: Connection closed by 66.172.33.140 [preauth] 

auth.log.2:Sep 11 03:30:29 MerchatApiDashboard sshd[5902]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= 

rhost=ip-66-1 72-33-1 40.chunkhost.com 

user=root 

auth.log.2:Sep 1 1 03:30:49 MerchatApiDashboard sshd[5920]: Accepted password for root from 66.172.33.140 port 39784 ssh2 

Diagram E 
Authentication Logs 

auth.log.2:Sep 20 07:05:36 StratumLow sshd[171 1]: Accepted password for ubuntu from 66.172.33.140 port 32787 ssh2 
auth.log.2:Sep 20 07:25:31 StratumLow sshd[1842]: Accepted password for ubuntu from 66.172.33.140 port 32800 ssh2 
auth.log.2:Sep 20 07:28:17 StratumLow sshd[1918]: Accepted password for ubuntu from 66.172.33.140 port 32801 ssh2 
auth.log.2:Sep 20 07:33:43 StratumLow sshd[1983]: Accepted password for ubuntu from 66.172.33.140 port 32807 ssh2 
auth.log.3:Sep 19 22:40:01 ubuntutemplate sshd[1168]: Accepted password for ubuntu from 66.172.33.140 port 60675 ssh2 
auth.log.3:Sep 20 02:33:01 ubuntutemplate sshd[1309]: Accepted password for ubuntu from 66.172.33.140 port 60964 ssh2 
auth.log.3:Sep 20 02:36:20 ubuntutemplate sshd[1400]: Accepted password for ubuntu from 66.172.33.140 port 60966 ssh2 
./auth.log.2:Sep 20 07:15:35 StratumNice sshd[1558]: Accepted password for ubuntu from 66.172.33.140 port 41347 ssh2 
./auth.log.2:Sep 20 07:31:07 StratumNice sshd[1693]: Accepted password for ubuntu from 66.172.33.140 port 41357 ssh2 
7auth.log.2:Sep 20 07:32:25 StratumNice sshd[1768]: Accepted password for ubuntu from 66.172.33.140 port 41358 ssh2 
./auth.log.2:Sep 20 14:13:33 StratumNice sshd[2047]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=ip-66-1 72-33-1 40.chunkhost.com user=ubuntu 

./auth.log.2:Sep 20 14:13:34 StratumNice sshd[2047]: Failed password for ubuntu from 66.172.33.140 port 41 378 ssh2 
./auth.log.2:Sep 20 14:13:52 StratumNice sshd[2049]: Accepted password for urootfrom 66.172.33.140 port 41379 ssh2 
./auth.log.3:Sep 20 02:45:54 ubuntutemplate sshd[1231]: Accepted password for ubuntu from 66.172.33.140 port 41289 ssh2 



UFW Firewall Logs 

ufw.log.1:Sep 21 14:47:19 StratumLow kernel: [149602.989837] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66.172.33.140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=8509 DF PROTO=TCP SPT=33161 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 21 14:47:20 StratumLow kernel: [149603.985837] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172. 33.140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=8510 DF PROTO=TCP SPT=33161 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

©2014 BITCOMSEC, All Rights Reserved. 

By responding to communications, you agree to indemnify BITCOMSEC against any and all liabilities. 



BITCOMSEC 



## SR-MC1-0001-M ## 



Sensitive - Do Not Disseminate 



ufw.log.1:Sep 21 14:47:22 StratumLow kernel: [149605.986624] [UFW BLOCK] IN=ethO OUT= MAC=00:50:56:06:38:35:00:14:f1 :a7:24:00:08:00 
SRC=66.172.33.140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=851 1 DF PROTO=TCP SPT=33161 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 21 14:47:26 StratumLow kernel: [149609.988283] [UFW BLOCK] IN=ethO OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66.172.33.140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=8512 DF PROTO=TCP SPT=33161 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 21 14:47:34 StratumLow kernel: [149617.999537] [UFW BLOCK] IN=ethO OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=8513 DF PROTO=TCP SPT=33161 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 21 14:47:50 StratumLow kernel: [149634.006113] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=8514 DF PROTO=TCP SPT=33161 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 07:14:32 StratumLow kernel: [295008.482505] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=41405 DF PROTO=TCP SPT=33570 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 07:14:33 StratumLow kernel: [295009.478100] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172. 33.140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=41406 DF PROTO=TCP SPT=33570 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 07:14:35 StratumLow kernel: [295011.478936] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=41407 DF PROTO=TCP SPT=33570 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 07:14:39 StratumLow kernel: [295015.480559] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=41408 DF PROTO=TCP SPT=33570 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 07:14:47 StratumLow kernel: [295023.475835] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=41409 DF PROTO=TCP SPT=33570 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 07:15:03 StratumLow kernel: [295039.482384] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=41410 DF PROTO=TCP SPT=33570 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 07:15:35 StratumLow kernel: [295071.495527] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=41411 DF PROTO=TCP SPT=33570 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 08:56:05 StratumLow kernel: [301091.571196] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=32785 DF PROTO=TCP SPT=33806 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 08:56:06 StratumLow kernel: [301092.567052] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=32786 DF PROTO=TCP SPT=33806 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 08:56:08 StratumLow kernel: [301094.567876] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=32787 DF PROTO=TCP SPT=33806 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

ufw.log.1:Sep 23 08:56:12 StratumLow kernel: [301098.569870] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:06:38:35:00:14:f1:a7:24:00:08:00 
SRC=66.172.33.140 DST=5.196.54.212 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=32788 DF PROTO=TCP SPT=33806 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./syslog.6:Sep 23 08:56:20 StratumNice kernel: [301096.596935] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1 :a7:24:00:08:00 
SRC=66.172.33.140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43615 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./syslog.6:Sep 23 08:56:21 StratumNice kernel: [301097.592423] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1 :a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43616 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./syslog.6:Sep 23 08:56:23 StratumNice kernel: [301099.593194] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1 :a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43617 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./syslog.6:Sep 23 08:56:27 StratumNice kernel: [301103.598845] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1 :a7:24:00:08:00 
SRC=66. 172. 33.140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43618 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./ufw.log.1:Sep 21 1 1:23:10 StratumNice kernel: [137362.230282] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48963 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./ufw.log.1:Sep 21 11:23:11 StratumNice kernel: [137363.228329] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48964 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./ufw.log.1:Sep 21 1 1:23:13 StratumNice kernel: [137365.229079] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172. 33.140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48965 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 
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Vufw.log. 1:Sep 21 11:23:17 StratumNice kernel: [137369.230695] [UFW BLOCK] IN=ethO OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48966 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

7ufw.log.1:Sep 21 1 1:23:25 StratumNice kernel: [137377.241948] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48967 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./ufw.log.1:Sep 21 1 1:23:41 StratumNice kernel: [137393.248482] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48968 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

Vufw.log. 1:Sep 21 1 1:24:13 StratumNice kernel: [137425.229644] [UFW BLOCK] IN=ethO OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48969 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

Vufw.log.1:Sep 23 08:56:20 StratumNice kernel: [301096.596935] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43615 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./ufw.log.1:Sep 23 08:56:21 StratumNice kernel: [301097.592423] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172. 33.140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43616 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./ufw.log.1:Sep 23 08:56:23 StratumNice kernel: [301099.593194] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43617 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

Vufw.log.1:Sep 23 08:56:27 StratumNice kernel: [301103.598845] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43618 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern.log.1:Sep 21 1 1:23:10 StratumNice kernel: [137362.230282] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:Ob:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48963 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern. log. 1:Sep 21 11:23:11 StratumNice kernel: [137363.228329] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48964 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern. log. 1:Sep 21 11:23:13 StratumNice kernel: [137365.229079] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48965 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern. log. 1:Sep 21 1 1:23:17 StratumNice kernel: [137369.230695] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48966 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern.log.1:Sep 21 1 1:23:25 StratumNice kernel: [137377.241948] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66.172.33.140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48967 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern.log.1:Sep21 11:23:41 StratumNice kernel: [137393.248482] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48968 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern. log. 1:Sep 21 1 1:24:13 StratumNice kernel: [137425.229644] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66.172.33.140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=48969 DF PROTO=TCP SPT=41678 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern.log.1:Sep 23 08:56:20 StratumNice kernel: [301096.596935] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43615 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern.log.1:Sep 23 08:56:21 StratumNice kernel: [301097.592423] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43616 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern. log. 1:Sep 23 08:56:23 StratumNice kernel: [301099.593194] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172.33. 140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43617 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 

./kern. log. 1:Sep 23 08:56:27 StratumNice kernel: [301103.598845] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:0b:4f:fb:00:14:f1:a7:24:00:08:00 
SRC=66. 172. 33.140 DST=5.196.54.215 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43618 DF PROTO=TCP SPT=42360 DPT=22 WINDOW=29200 
RES=0x00 SYN URGP=0 
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